// AddGetKeyCryptoServiceInterfaceBehaviorTests tests expected behavior for // adding keys in a signed.CryptoService and other read operations on the // crypto service after keys are present // 1. Adding a key succeeds // 2. Getting the key should return the same key, without error // 3. Removing the key succeeds func AddGetKeyCryptoServiceInterfaceBehaviorTests(t *testing.T, cs signed.CryptoService, algo string) { expectedRolesToKeys := make(map[string]string) for i := 0; i < 2; i++ { var ( addedPrivKey data.PrivateKey err error ) role := data.BaseRoles[i+1] switch algo { case data.RSAKey: addedPrivKey, err = trustmanager.GenerateRSAKey(rand.Reader, 2048) case data.ECDSAKey: addedPrivKey, err = trustmanager.GenerateECDSAKey(rand.Reader) case data.ED25519Key: addedPrivKey, err = trustmanager.GenerateED25519Key(rand.Reader) default: require.FailNow(t, "invalid algorithm %s", algo) } require.NoError(t, err) require.NotNil(t, addedPrivKey) require.NoError(t, cs.AddKey(role, "docker.io/notary", addedPrivKey)) expectedRolesToKeys[role] = addedPrivKey.ID() } testGetKey(t, cs, expectedRolesToKeys, algo, true) }
// GenRootKey generates a new root key func (km *KeyStoreManager) GenRootKey(algorithm string) (string, error) { var err error var privKey data.PrivateKey // We don't want external API callers to rely on internal TUF data types, so // the API here should continue to receive a string algorithm, and ensure // that it is downcased switch strings.ToLower(algorithm) { case data.RSAKey: privKey, err = trustmanager.GenerateRSAKey(rand.Reader, rsaRootKeySize) case data.ECDSAKey: privKey, err = trustmanager.GenerateECDSAKey(rand.Reader) default: return "", fmt.Errorf("only RSA or ECDSA keys are currently supported. Found: %s", algorithm) } if err != nil { return "", fmt.Errorf("failed to generate private key: %v", err) } // Changing the root km.KeyStore.AddKey(privKey.ID(), "root", privKey) return privKey.ID(), nil }
// Given a keystore and expected key that is in the store, export the key // and assert that the exported key is the same and encrypted with the right // password. func assertExportKeySuccess( t *testing.T, s KeyStore, expectedKey data.PrivateKey) { pemBytes, err := s.ExportKey(expectedKey.ID()) require.NoError(t, err) reparsedKey, err := ParsePEMPrivateKey(pemBytes, cannedPassphrase) require.NoError(t, err) require.Equal(t, expectedKey.Private(), reparsedKey.Private()) require.Equal(t, expectedKey.Public(), reparsedKey.Public()) }
// AddKey stores the contents of a PEM-encoded private key as a PEM block func (s *KeyMemoryStore) AddKey(keyInfo KeyInfo, privKey data.PrivateKey) error { s.Lock() defer s.Unlock() if keyInfo.Role == data.CanonicalRootRole || data.IsDelegation(keyInfo.Role) || !data.ValidRole(keyInfo.Role) { keyInfo.Gun = "" } err := addKey(s, s.PassRetriever, s.cachedKeys, filepath.Join(keyInfo.Gun, privKey.ID()), keyInfo.Role, privKey) if err != nil { return err } s.keyInfoMap[privKey.ID()] = keyInfo return nil }
// AddKey puts a key inside the Yubikey, as well as writing it to the backup store func (s *YubiStore) AddKey(keyInfo trustmanager.KeyInfo, privKey data.PrivateKey) error { added, err := s.addKey(privKey.ID(), keyInfo.Role, privKey) if err != nil { return err } if added && s.backupStore != nil { err = s.backupStore.AddKey(keyInfo, privKey) if err != nil { defer s.RemoveKey(privKey.ID()) return ErrBackupFailed{err: err.Error()} } } return nil }
// AddKey puts a key inside the Yubikey, as well as writing it to the backup store func (s *YubiKeyStore) AddKey(keyID, role string, privKey data.PrivateKey) error { added, err := s.addKey(keyID, role, privKey) if err != nil { return err } if added { err = s.backupStore.AddKey(privKey.ID(), role, privKey) if err != nil { defer s.RemoveKey(keyID) return ErrBackupFailed{err: err.Error()} } } return nil }
// Given a keystore and expected key, generate an encrypted PEM of the key // and assert that the then imported key is the same and encrypted with the // right password. func assertImportKeySuccess( t *testing.T, s KeyStore, expectedKey data.PrivateKey) { pemBytes, err := EncryptPrivateKey(expectedKey, cannedPassphrase) assert.NoError(t, err) err = s.ImportKey(pemBytes, "root") assert.NoError(t, err) reimportedKey, reimportedAlias, err := s.GetKey(expectedKey.ID()) assert.NoError(t, err) assert.Equal(t, "root", reimportedAlias) assert.Equal(t, expectedKey.Private(), reimportedKey.Private()) assert.Equal(t, expectedKey.Public(), reimportedKey.Public()) }
// AddKey stores the contents of a private key. Both role and gun are ignored, // we always use Key IDs as name, and don't support aliases func (s *cachedKeyService) AddKey(role, gun string, privKey data.PrivateKey) error { if err := s.CryptoService.AddKey(role, gun, privKey); err != nil { return err } // Add the private key to our cache s.lock.Lock() defer s.lock.Unlock() s.cachedKeys[privKey.ID()] = &cachedKey{ role: role, key: privKey, } return nil }
// Only add if we haven't seen the key already. Return whether the key was // added. func (s *YubiKeyStore) addKey(keyID, role string, privKey data.PrivateKey) ( bool, error) { // We only allow adding root keys for now if role != data.CanonicalRootRole { return false, fmt.Errorf( "yubikey only supports storing root keys, got %s for key: %s", role, keyID) } ctx, session, err := SetupHSMEnv(pkcs11Lib, s.libLoader) if err != nil { logrus.Debugf("Failed to initialize PKCS11 environment: %s", err.Error()) return false, err } defer cleanup(ctx, session) if k, ok := s.keys[keyID]; ok { if k.role == role { // already have the key and it's associated with the correct role return false, nil } } slot, err := getNextEmptySlot(ctx, session) if err != nil { logrus.Debugf("Failed to get an empty yubikey slot: %s", err.Error()) return false, err } logrus.Debugf("Attempting to store key using yubikey slot %v", slot) err = addECDSAKey( ctx, session, privKey, slot, s.passRetriever, role) if err == nil { s.keys[privKey.ID()] = yubiSlot{ role: role, slotID: slot, } return true, nil } logrus.Debugf("Failed to add key to yubikey: %v", err) return false, err }
// AddKey adds a private key to a specified role. // The GUN is inferred from the cryptoservice itself for non-root roles func (cs *CryptoService) AddKey(role, gun string, key data.PrivateKey) (err error) { // First check if this key already exists in any of our keystores for _, ks := range cs.keyStores { if keyInfo, err := ks.GetKeyInfo(key.ID()); err == nil { if keyInfo.Role != role { return fmt.Errorf("key with same ID already exists for role: %s", keyInfo.Role) } logrus.Debugf("key with same ID %s and role %s already exists", key.ID(), keyInfo.Role) return nil } } // If the key didn't exist in any of our keystores, add and return on the first successful keystore for _, ks := range cs.keyStores { // Try to add to this keystore, return if successful if err = ks.AddKey(trustmanager.KeyInfo{Role: role, Gun: gun}, key); err == nil { return nil } } return // returns whatever the final values were }
// AddKey stores the contents of a PEM-encoded private key as a PEM block func (s *GenericKeyStore) AddKey(keyInfo KeyInfo, privKey data.PrivateKey) error { var ( chosenPassphrase string giveup bool err error pemPrivKey []byte ) s.Lock() defer s.Unlock() if keyInfo.Role == data.CanonicalRootRole || data.IsDelegation(keyInfo.Role) || !data.ValidRole(keyInfo.Role) { keyInfo.Gun = "" } keyID := privKey.ID() for attempts := 0; ; attempts++ { chosenPassphrase, giveup, err = s.PassRetriever(keyID, keyInfo.Role, true, attempts) if err == nil { break } if giveup || attempts > 10 { return ErrAttemptsExceeded{} } } if chosenPassphrase != "" { pemPrivKey, err = utils.EncryptPrivateKey(privKey, keyInfo.Role, keyInfo.Gun, chosenPassphrase) } else { pemPrivKey, err = utils.KeyToPEM(privKey, keyInfo.Role, keyInfo.Gun) } if err != nil { return err } s.cachedKeys[keyID] = &cachedKey{alias: keyInfo.Role, key: privKey} err = s.store.Set(keyID, pemPrivKey) if err != nil { return err } s.keyInfoMap[privKey.ID()] = keyInfo return nil }
// AddKey stores the contents of a private key. Both role and gun are ignored, // we always use Key IDs as name, and don't support aliases func (s *SQLKeyDBStore) AddKey(role, gun string, privKey data.PrivateKey) error { passphrase, _, err := s.retriever(privKey.ID(), s.defaultPassAlias, false, 1) if err != nil { return err } encryptedKey, err := jose.Encrypt(string(privKey.Private()), KeywrapAlg, EncryptionAlg, passphrase) if err != nil { return err } gormPrivKey := GormPrivateKey{ KeyID: privKey.ID(), EncryptionAlg: EncryptionAlg, KeywrapAlg: KeywrapAlg, PassphraseAlias: s.defaultPassAlias, Algorithm: privKey.Algorithm(), Gun: gun, Role: role, Public: string(privKey.Public()), Private: encryptedKey, } // Add encrypted private key to the database s.db.Create(&gormPrivKey) // Value will be false if Create succeeds failure := s.db.NewRecord(gormPrivKey) if failure { return fmt.Errorf("failed to add private key to database: %s", privKey.ID()) } return nil }
// Create is used to generate keys for targets, snapshots and timestamps func (cs *CryptoService) Create(role, gun, algorithm string) (data.PublicKey, error) { var privKey data.PrivateKey var err error switch algorithm { case data.RSAKey: privKey, err = utils.GenerateRSAKey(rand.Reader, notary.MinRSABitSize) if err != nil { return nil, fmt.Errorf("failed to generate RSA key: %v", err) } case data.ECDSAKey: privKey, err = utils.GenerateECDSAKey(rand.Reader) if err != nil { return nil, fmt.Errorf("failed to generate EC key: %v", err) } case data.ED25519Key: privKey, err = utils.GenerateED25519Key(rand.Reader) if err != nil { return nil, fmt.Errorf("failed to generate ED25519 key: %v", err) } default: return nil, fmt.Errorf("private key type not supported for key generation: %s", algorithm) } logrus.Debugf("generated new %s key for role: %s and keyID: %s", algorithm, role, privKey.ID()) // Store the private key into our keystore for _, ks := range cs.keyStores { err = ks.AddKey(trustmanager.KeyInfo{Role: role, Gun: gun}, privKey) if err == nil { return data.PublicKeyFromPrivate(privKey), nil } } if err != nil { return nil, fmt.Errorf("failed to add key to filestore: %v", err) } return nil, fmt.Errorf("keystores would not accept new private keys for unknown reasons") }
// Create is used to generate keys for targets, snapshots and timestamps func (ccs *CryptoService) Create(role, algorithm string) (data.PublicKey, error) { var privKey data.PrivateKey var err error switch algorithm { case data.RSAKey: privKey, err = trustmanager.GenerateRSAKey(rand.Reader, rsaKeySize) if err != nil { return nil, fmt.Errorf("failed to generate RSA key: %v", err) } case data.ECDSAKey: privKey, err = trustmanager.GenerateECDSAKey(rand.Reader) if err != nil { return nil, fmt.Errorf("failed to generate EC key: %v", err) } case data.ED25519Key: privKey, err = trustmanager.GenerateED25519Key(rand.Reader) if err != nil { return nil, fmt.Errorf("failed to generate ED25519 key: %v", err) } default: return nil, fmt.Errorf("private key type not supported for key generation: %s", algorithm) } logrus.Debugf("generated new %s key for role: %s and keyID: %s", algorithm, role, privKey.ID()) // Store the private key into our keystore with the name being: /GUN/ID.key with an alias of role for _, ks := range ccs.keyStores { err = ks.AddKey(filepath.Join(ccs.gun, privKey.ID()), role, privKey) if err == nil { return data.PublicKeyFromPrivate(privKey), nil } } if err != nil { return nil, fmt.Errorf("failed to add key to filestore: %v", err) } return nil, fmt.Errorf("keystores would not accept new private keys for unknown reasons") }
// AddKey stores the contents of a private key. Both role and gun are ignored, // we always use Key IDs as name, and don't support aliases func (rdb *RethinkDBKeyStore) AddKey(keyInfo trustmanager.KeyInfo, privKey data.PrivateKey) error { passphrase, _, err := rdb.retriever(privKey.ID(), rdb.defaultPassAlias, false, 1) if err != nil { return err } encryptedKey, err := jose.Encrypt(string(privKey.Private()), KeywrapAlg, EncryptionAlg, passphrase) if err != nil { return err } now := time.Now() rethinkPrivKey := RDBPrivateKey{ Timing: rethinkdb.Timing{ CreatedAt: now, UpdatedAt: now, }, KeyID: privKey.ID(), EncryptionAlg: EncryptionAlg, KeywrapAlg: KeywrapAlg, PassphraseAlias: rdb.defaultPassAlias, Algorithm: privKey.Algorithm(), Public: string(privKey.Public()), Private: encryptedKey} // Add encrypted private key to the database _, err = gorethink.DB(rdb.dbName).Table(rethinkPrivKey.TableName()).Insert(rethinkPrivKey).RunWrite(rdb.sess) if err != nil { return fmt.Errorf("failed to add private key to database: %s", privKey.ID()) } // Add the private key to our cache rdb.lock.Lock() defer rdb.lock.Unlock() rdb.cachedKeys[privKey.ID()] = privKey return nil }
// AddKey stores the contents of a private key. Both name and alias are ignored, // we always use Key IDs as name, and don't support aliases func (s *KeyDBStore) AddKey(name, alias string, privKey data.PrivateKey) error { passphrase, _, err := s.retriever(privKey.ID(), s.defaultPassAlias, false, 1) if err != nil { return err } encryptedKey, err := jose.Encrypt(string(privKey.Private()), KeywrapAlg, EncryptionAlg, passphrase) if err != nil { return err } gormPrivKey := GormPrivateKey{ KeyID: privKey.ID(), EncryptionAlg: EncryptionAlg, KeywrapAlg: KeywrapAlg, PassphraseAlias: s.defaultPassAlias, Algorithm: privKey.Algorithm(), Public: string(privKey.Public()), Private: encryptedKey} // Add encrypted private key to the database s.db.Create(&gormPrivKey) // Value will be false if Create succeeds failure := s.db.NewRecord(gormPrivKey) if failure { return fmt.Errorf("failed to add private key to database: %s", privKey.ID()) } // Add the private key to our cache s.Lock() defer s.Unlock() s.cachedKeys[privKey.ID()] = privKey return nil }
// AddKey stores the contents of a private key. Both role and gun are ignored, // we always use Key IDs as name, and don't support aliases func (rdb *RethinkDBKeyStore) AddKey(role, gun string, privKey data.PrivateKey) error { passphrase, _, err := rdb.retriever(privKey.ID(), rdb.defaultPassAlias, false, 1) if err != nil { return err } encryptedKey, err := jose.Encrypt(string(privKey.Private()), KeywrapAlg, EncryptionAlg, passphrase) if err != nil { return err } now := rdb.nowFunc() rethinkPrivKey := RDBPrivateKey{ Timing: rethinkdb.Timing{ CreatedAt: now, UpdatedAt: now, }, KeyID: privKey.ID(), EncryptionAlg: EncryptionAlg, KeywrapAlg: KeywrapAlg, PassphraseAlias: rdb.defaultPassAlias, Algorithm: privKey.Algorithm(), Gun: gun, Role: role, Public: privKey.Public(), Private: []byte(encryptedKey), } // Add encrypted private key to the database _, err = gorethink.DB(rdb.dbName).Table(rethinkPrivKey.TableName()).Insert(rethinkPrivKey).RunWrite(rdb.sess) if err != nil { return fmt.Errorf("failed to add private key %s to database: %s", privKey.ID(), err.Error()) } return nil }
// gets a key from the DB store, and asserts that the key is the expected key func testGetSuccess(t *testing.T, dbStore *KeyDBStore, expectedKey data.PrivateKey) { retrKey, _, err := dbStore.GetKey(expectedKey.ID()) assert.NoError(t, err) assert.Equal(t, retrKey, expectedKey) }
// addECDSAKey adds a key to the yubikey func addECDSAKey( ctx IPKCS11Ctx, session pkcs11.SessionHandle, privKey data.PrivateKey, pkcs11KeyID []byte, passRetriever passphrase.Retriever, role string, ) error { logrus.Debugf("Attempting to add key to yubikey with ID: %s", privKey.ID()) err := login(ctx, session, passRetriever, pkcs11.CKU_SO, SO_USER_PIN) if err != nil { return err } defer ctx.Logout(session) // Create an ecdsa.PrivateKey out of the private key bytes ecdsaPrivKey, err := x509.ParseECPrivateKey(privKey.Private()) if err != nil { return err } ecdsaPrivKeyD := ensurePrivateKeySize(ecdsaPrivKey.D.Bytes()) // Hard-coded policy: the generated certificate expires in 10 years. startTime := time.Now() template, err := trustmanager.NewCertificate(role, startTime, startTime.AddDate(10, 0, 0)) if err != nil { return fmt.Errorf("failed to create the certificate template: %v", err) } certBytes, err := x509.CreateCertificate(rand.Reader, template, template, ecdsaPrivKey.Public(), ecdsaPrivKey) if err != nil { return fmt.Errorf("failed to create the certificate: %v", err) } certTemplate := []*pkcs11.Attribute{ pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_CERTIFICATE), pkcs11.NewAttribute(pkcs11.CKA_VALUE, certBytes), pkcs11.NewAttribute(pkcs11.CKA_ID, pkcs11KeyID), } privateKeyTemplate := []*pkcs11.Attribute{ pkcs11.NewAttribute(pkcs11.CKA_CLASS, pkcs11.CKO_PRIVATE_KEY), pkcs11.NewAttribute(pkcs11.CKA_KEY_TYPE, pkcs11.CKK_ECDSA), pkcs11.NewAttribute(pkcs11.CKA_ID, pkcs11KeyID), pkcs11.NewAttribute(pkcs11.CKA_EC_PARAMS, []byte{0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07}), pkcs11.NewAttribute(pkcs11.CKA_VALUE, ecdsaPrivKeyD), pkcs11.NewAttribute(pkcs11.CKA_VENDOR_DEFINED, yubikeyKeymode), } _, err = ctx.CreateObject(session, certTemplate) if err != nil { return fmt.Errorf("error importing: %v", err) } _, err = ctx.CreateObject(session, privateKeyTemplate) if err != nil { return fmt.Errorf("error importing: %v", err) } return nil }
// addKey allows you to add a private key func (e *Ed25519) addKey(k data.PrivateKey) { e.keys[k.ID()] = k }
// addKey allows you to add a private key func (e *Ed25519) addKey(role string, k data.PrivateKey) { e.keys[k.ID()] = edCryptoKey{ role: role, privKey: k, } }